Cybersecurity researchers have uncovered an adware module called HotPage that pretends to block ads and malicious websites while secretly installing a kernel driver that allows attackers to execute code with elevated permissions on Windows machines.
The malware, known as HotPage, comes with an installer named “HotPage.exe” and includes a driver capable of injecting code into other processes, as well as two libraries for intercepting and altering browser network traffic, according to a new report from ESET researcher Romain Dumont.
The malicious software can manipulate webpage content, redirect users to other sites, or open new tabs based on specific conditions.
In addition to displaying game-related ads using its browser traffic interception capabilities, HotPage also steals system information and sends it to a remote server associated with a Chinese company called Hubei Dunwang Network Technology Co., Ltd.
The driver is tasked with injecting the libraries into browser applications and changing their behavior to modify URLs or redirect homepage settings as specified in a configuration.
The lack of access control lists (ACLs) for the driver means that even a non-privileged user could exploit it to gain elevated privileges and execute code as the NT AUTHORITYSystem account.
Dumont warned that the malware’s kernel component allows any process to communicate with it and use its code injection capability to target unprotected processes on the system.
Although the distribution method of the installer remains unknown, ESET’s investigation suggests that it was promoted as a security solution for internet cafes to enhance browsing experiences by blocking ads.
The signed driver is a notable aspect of HotPage, as it obtained an Extended Verification certificate from Microsoft despite being associated with a company that has since been removed from the Windows Server Catalog.
Microsoft requires kernel-mode drivers to be digitally signed for security reasons, but recent incidents have shown that threat actors can bypass this requirement to deploy malicious drivers.
Dumont emphasized that this adware’s sophisticated capabilities, including a kernel component and code-signing certificate, demonstrate the lengths to which developers will go to achieve their objectives.
